|
| 1 | + |
| 2 | +## Challenge |
| 3 | +Our operatives have recovered a DeLorean in the ruins of an old mid-west US |
| 4 | +town. It appears to be locked, but we have successfully accessed its internal |
| 5 | +communications channels. According to the little data we have, the DeLorean |
| 6 | +internally uses an archaic technology called CAN bus. We need you to analyze |
| 7 | +the communications and find a way to unlock the vehicle; once unlocked, recover |
| 8 | +the secret flag stored inside. We have reason to believe that vehicle entry |
| 9 | +should be a fairly easy challenge, but to aid you in this, we have restored and |
| 10 | +reconnected the vehicle dashboard. |
| 11 | + |
| 12 | +Best of luck. |
| 13 | + |
| 14 | +The Dashboard app is available here. |
| 15 | + |
| 16 | +Challenge developed by Argus Cyber Security. |
| 17 | + |
| 18 | +## Packet Structure |
| 19 | +PROTOCOL: each message has the following structure: |
| 20 | +- 4-byte magic |
| 21 | +- 1-byte operation type |
| 22 | +- 1-byte length |
| 23 | +- value (2 bytes for everything except Text_Op, little endian. ) |
| 24 | + |
| 25 | +```python |
| 26 | + FRAME_MAGIC = 'E824F65A'.decode('hex') |
| 27 | + MPH_OP = 0x30 # <= 100 |
| 28 | + RPM_OP = 0x31 # <= 5000 |
| 29 | + Temp_OP = 0x32 # <= 160 |
| 30 | + Batt_OP = 0x33 # <= 20 |
| 31 | + AAC_OP = 0x34 # <= 100 -- possibly A/C? |
| 32 | + MAF_OP = 0x35 # <= 500 -- Mass Air Flow (to engine) |
| 33 | + Text_OP = 0x36 |
| 34 | + IND_OP = 0x37 |
| 35 | + IND2_OP = 0x38 |
| 36 | +``` |
| 37 | + |
| 38 | +## Running it |
| 39 | +Just connecting and watching, we see: |
| 40 | + MPH: 32-39 |
| 41 | + RPM: 2000-2060 |
| 42 | + Temp: 74-77 degrees |
| 43 | + Batt: 12 (volts) |
| 44 | + AAC: 77-80% |
| 45 | + MAF: 286-300 mV |
| 46 | + |
| 47 | +And no: |
| 48 | + Text: |
| 49 | + IND: |
| 50 | + IND2: |
| 51 | + |
| 52 | +## CAN |
| 53 | +```sh |
| 54 | +ip link show dev can0 |
| 55 | +ip link set can0 type can help |
| 56 | +sudo ip link set can0 type can bitrate 500000 listen-only on |
| 57 | +sudo ip link set can0 up |
| 58 | +candump -cae can0,0:0,#FFFFFFFF |
| 59 | +``` |
| 60 | + |
| 61 | +WARNING: listen-only |
| 62 | + |
| 63 | +I connected the logic analyzer. It can't read CAN-H, but can parse CAN-L just fine. |
| 64 | +Use a bitrate of 49,500. |
| 65 | + |
| 66 | +### dashboard debug Capture: |
| 67 | +AAC_Value = 77 |
| 68 | +AAC_Value = 79 |
| 69 | + |
| 70 | +BATT_Value = 12 |
| 71 | + |
| 72 | +MAF_Value = 303 |
| 73 | +MAF_Value = 310 |
| 74 | + |
| 75 | +MPH_Value = 37 |
| 76 | +MPH_Value = 38 |
| 77 | +MPH_Value = 39 |
| 78 | + |
| 79 | +RPM_Value = 2040 |
| 80 | +RPM_Value = 2050 |
| 81 | +RPM_Value = 2060 |
| 82 | + |
| 83 | +TEMP_Value = 77 |
| 84 | +TEMP_Value = 78 |
| 85 | + |
| 86 | +### Logic Analyzer Capture: |
| 87 | +(sorted, uniq) |
| 88 | + |
| 89 | +#### 0x023: MPH / RPM / 0x20 |
| 90 | + * MPH RPM |
| 91 | +0x023,0x5,0x0020 0x07C6 0x20 |
| 92 | +0x023,0x5,0x0020 0x07DA 0x20 |
| 93 | +0x023,0x5,0x0020 0x07E4 0x20 |
| 94 | +0x023,0x5,0x0021 0x07BC 0x20 |
| 95 | +0x023,0x5,0x0021 0x07C6 0x20 |
| 96 | +0x023,0x5,0x0021 0x07DA 0x20 |
| 97 | +0x023,0x5,0x0021 0x07E4 0x20 |
| 98 | +0x023,0x5,0x0022 0x07BC 0x20 |
| 99 | +0x023,0x5,0x0022 0x07C6 0x20 |
| 100 | +0x023,0x5,0x0022 0x07D0 0x20 |
| 101 | +0x023,0x5,0x0023 0x07D0 0x20 |
| 102 | +0x023,0x5,0x0024 0x07DA 0x20 |
| 103 | +0x023,0x5,0x0024 0x07E4 0x20 |
| 104 | +0x023,0x5,0x0024 0x07EE 0x20 |
| 105 | +0x023,0x5,0x0025 0x07F8 0x20 |
| 106 | +0x023,0x5,0x0025 0x0802 0x20 |
| 107 | +0x023,0x5,0x0025 0x080C 0x20 |
| 108 | +0x023,0x5,0x0026 0x07D0 0x20 |
| 109 | +0x023,0x5,0x0026 0x07DA 0x20 |
| 110 | +0x023,0x5,0x0026 0x07EE 0x20 |
| 111 | +0x023,0x5,0x0026 0x0802 0x20 |
| 112 | +0x023,0x5,0x0026 0x080C 0x20 |
| 113 | +0x023,0x5,0x0027 0x07EE 0x20 |
| 114 | +0x023,0x5,0x0027 0x080C 0x20 |
| 115 | + |
| 116 | +#### 0x10c: MAF, AAC, TEMP, ?? |
| 117 | + * Temp MAF AAC ?? |
| 118 | +0x10C,0x8, 0x004A 0x0132 0x004A 0x004B |
| 119 | +0x10C,0x8, 0x004A 0x0132 0x004B 0x004B |
| 120 | +0x10C,0x8, 0x004A 0x0132 0x004C 0x004A |
| 121 | +0x10C,0x8, 0x004A 0x0139 0x0049 0x004A |
| 122 | +0x10C,0x8, 0x004A 0x0139 0x004A 0x004A |
| 123 | +0x10C,0x8, 0x004B 0x0132 0x004C 0x004B |
| 124 | +0x10C,0x8, 0x004B 0x0132 0x004C 0x004C |
| 125 | +0x10C,0x8, 0x004B 0x0132 0x004D 0x004B |
| 126 | +0x10C,0x8, 0x004B 0x0132 0x004D 0x004C |
| 127 | +0x10C,0x8, 0x004C 0x012B 0x004C 0x004C |
| 128 | +0x10C,0x8, 0x004C 0x012B 0x004C 0x004D |
| 129 | +0x10C,0x8, 0x004D 0x0124 0x004E 0x004D |
| 130 | +0x10C,0x8, 0x004D 0x0124 0x004F 0x004E |
| 131 | +0x10C,0x8, 0x004D 0x012B 0x004C 0x004D |
| 132 | +0x10C,0x8, 0x004D 0x012B 0x004D 0x004E |
| 133 | +0x10C,0x8, 0x004D 0x012B 0x004E 0x004D |
| 134 | +0x10C,0x8, 0x004D 0x012B 0x004F 0x004D |
| 135 | +0x10C,0x8, 0x004E 0x0124 0x004E 0x004E |
| 136 | +0x10C,0x8, 0x004E 0x0124 0x004E 0x004F |
| 137 | +0x10C,0x8, 0x004E 0x0124 0x004F 0x004F |
| 138 | + |
| 139 | +#### 0x1bf: Battery? |
| 140 | +0x1BF,0x6,0x00 0x0C 0x00 0x0E 0x00 0x0C |
| 141 | + |
| 142 | +#### 0x202: AAC / Temp / 0x52 |
| 143 | +0x202,0x5,0x004A 0x004A 0x52 |
| 144 | +0x202,0x5,0x004B 0x004B 0x52 |
| 145 | +0x202,0x5,0x004B 0x004D 0x52 |
| 146 | +0x202,0x5,0x004C 0x004A 0x52 |
| 147 | +0x202,0x5,0x004C 0x004C 0x52 |
| 148 | +0x202,0x5,0x004C 0x004D 0x52 |
| 149 | +0x202,0x5,0x004D 0x004D 0x52 |
| 150 | +0x202,0x5,0x004D 0x004E 0x52 |
| 151 | + |
| 152 | +#### 0x332: Lock |
| 153 | +0x332,0x8,"lock\0\0\0\0" |
| 154 | + |
| 155 | +### Plan: |
| 156 | +Send a |
| 157 | + 0x332,0x8,"unlock\0\0" |
| 158 | +Packet. |
| 159 | + |
| 160 | +At which point, we'll find out we can't because car is going too fast... |
| 161 | + |
| 162 | +So spam 0x10c to bring that down? |
| 163 | +Maybe zero 0x1bf to protective shutoff? |
| 164 | + |
| 165 | + |
| 166 | + |
0 commit comments